Virtual environments offer enterprises flexibility and the ability to consolidate assets. In some cases they even make it possible to reduce power consumption. But all that flexibility comes with a cost.
"The problem many organizations encounter is that they do provide a bit less visibility than physical infrastructures that you can touch and feel," said Reggie Best, chief product officer at Lumeta Corporation in Somerset, New Jersey. "You don't really always know, certainly from a security operations or a network operations perspective, what's going on inside those virtual environments."
The visibility problem
Network topology in a virtualized world can be changed on the fly, and new pathways may exist for a limited time. How can administrators know for sure what's happening (or what's already happened) when their infrastructure goes virtual?
Network visibility impacts security. But it also affects efficiency. "The network exists to support the business, and not the favorite mobile phone application du jour," said Mike Patterson, founder and CEO of Plixer International in Kennebunk, Maine.
If primary applications—e-mail, for example, or Salesforce.com—suffer from slow connection times, administrators need to have a good awareness of the network's state in order to identify the culprit. "Is it the server? Is it the client? Is it a particular hop within the network?" Patterson asked.
Maintaining situational awareness in a network allows a company to "understand and prioritize applications and services based on the business requirements," according to Andy Singleton, director of product management at Plano, Texas-based Masergy. "If you've got network awareness, the network can adjust and accommodate strategic assets or strategic initiatives for the company."
Making decisions on bandwidth allocation and resource usage is difficult to do if administrators only have a view into what's going on in their network's physical assets, without correlating insight into the virtual infrastructure.
Singleton offered an example to illustrate why network awareness matters. Suppose an organization is seeing assets being consumed by non-business activities (think: employees watching movies). This use of resources may cause a company to "look at doing upgrades and services increases," Singleton explained. Many of those could prove to be unnecessary if only the enterprise had better awareness.
"If that network was more application-aware and they could understand, okay, these applications get priority, these applications get service and these do not, they could probably decrease their costs and likely increase productivity," Singleton said.
The challenges of maintaining network state awareness after virtualization
A primary obstacle in maintaining awareness within a virtualized environment is the sheer flexibility offered by the technology. As organizations facilitate self-service and provide discrete business units with greater control over the assets they use, the ability to maintain a single point of awareness diminishes.
"We've been to some organizations where they're spinning up dozens, hundreds, even thousands of virtual machines in that infrastructure to do their business on a self-service basis," Best said. The people in security or network operations have "lots of potential for stuff going on inside there that they don't really know."
The problem in many cases goes beyond just knowing how network resources are being consumed. Those virtual assets may hold intellectual property, customer records or sensitive financial data, all of which should really be managed more closely than what may be happening in the self-serve model of virtualization.
As new technologies in the virtualization space emerge, they continue to add to the layers of challenges administrators face in maintaining network awareness. "There are features like VMware's vMotion, which allows the physical location of the application to actually move dynamically for performance reasons," Patterson explained. "When that happens, the router providing traffic details on the connections to the server or hosting the application might suddenly show no traffic at all because the application moved."
Strategies for better network awareness with virtualization
Fortunately for administrators, many vendors aren't just facilitating virtualization, they're also offering solutions to help maintain a lock on network awareness. Patterson said that VMware, for example, has released a software update that supports IPFIX on a virtual server, addressing the potential issue tied to use of vMotion. "That means that flows containing details about the connections continue to be exported, even when the location of the application keeps migrating."
Where administrators bump up against obstacles to holistic network awareness, Patterson suggested they may not need to look far for help, adding, "many customers still don't know that they just simply need to turn it on and start collecting it."
With multiple groups having the potential to modify the network to suit their needs, security policies to control specific applications may be another useful approach. "Most of the firewalls out there can do that application-level stuff, but it's not at every site," Singleton said. "It's only when it traverses that particular device."
But being able to recognize traffic—and either permit it, deny it, or rate limit it—can be a critical tool in maintaining awareness. "Maybe I won't be able to stop it at the premises, but maybe in my data center I can stop it. Or maybe in the data center I can recognize it." He cautioned that this provides only a partial picture. "It's not exactly where we need to be, but it is a picture."
Other policies could also have a great impact on the amount of visibility administrators have into their virtual and hybrid networks. "It might, for example, be a policy that if you're spinning up assets in a public piece of a hybrid cloud, that those elements up there are not supposed to have any forwarding devices or gateways to other networks that are not vetted by network operations or security operations," Best explained. He added that policies on the kind of data allowed in the public portion of a hybrid cloud may also be useful.
As administrators formulate policies that will be effective in their particular environments, they're also looking for tools to manage all this stuff. "There's no scanning solution in the marketplace that's going to be able to figure out and detect when these things are occurring and to identify policy violations that are occurring," Best said. Solutions, such as Lumeta's ESI, are available right now and may offer the ability to "look for and listen for those kinds of changes dynamically as they're occurring," Best said.
Tools that offer near real-time alerts of potential policy violations and notable flow data may be good places to start. Administrators can then leverage these, gaining the ability to examine the network and determine where a security event may be occurring, as a way to improve their network awareness across every type of infrastructure asset.
Photo courtesy of Shutterstock.